Re: [Full-Disclosure] Security Update: [CSSA-2002-050.0] Linux: tcpdump denial-of-service in print-bgp.c

[Silvio Cesare <silvio () big net au>]

Also, one quick addition to this; this problem effects all tcpdump, and is not
OpenLinux (or even Linux) specific.

It is recommended that ALL distro's upgrade their packages to the latest,
which has long resolved the specific problem this advisory is
reporting.

Anyway.. nice advisory ;-)

--
Silvio

On Tue, Nov 19, 2002 at 03:55:31PM -0800, security () caldera com wrote:
> To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure 
> () lists netsys com
>
> ______________________________________________________________________________
>
>                       SCO Security Advisory
>
> Subject:              Linux: tcpdump denial-of-service in print-bgp.c 
> Advisory number:      CSSA-2002-050.0
> Issue date:           2002 November 19
> Cross reference:
> ______________________________________________________________________________
>
>
> 1. Problem Description
>
>       There is a miscalculation in the use of the sizeof operator in
>       tcpdump, allowing, at the least, a denial-of-service attack.
>
>
> 2. Vulnerable Supported Versions
>
>       System                          Package
>       ----------------------------------------------------------------------
>
>       OpenLinux 3.1.1 Server          prior to tcpdump-3.6.2-4.i386.rpm
>
>       OpenLinux 3.1.1 Workstation     prior to tcpdump-3.6.2-4.i386.rpm
>
>       OpenLinux 3.1 Server            prior to tcpdump-3.6.2-4.i386.rpm
>
>       OpenLinux 3.1 Workstation       prior to tcpdump-3.6.2-4.i386.rpm
>
>
> 3. Solution
>
>       The proper solution is to install the latest packages. Many
>       customers find it easier to use the Caldera System Updater, called
>       cupdate (or kcupdate under the KDE environment), to update these
>       packages rather than downloading and installing them by hand.

--
Silvio